Normally, you don't know about these because they are loaded at boot time either via the registry (a part of the operating system that Microsoft warns all users not to read or modify), via Start / Programs / Startup, or by some other method.
In general, when you press Alt-Ctrl-Del (Win 95) you can see those non-operating system programs which are currently running and consuming system resources. Some of these, such as Explorer - the program that displays the Windows desktop, are required by the operating system even though they are not a part of it. You should also see your virus protection software here. However others, such as the advertising parasite TSADBOT.EXE, are not wanted or needed. (At least I don't want it! :)
Rather than delete these entries, I simply comment them out and annotate them with the date and reason. For those in the registry, you can place a few garbage characters (xx) at the beginning of the entry followed by the date; in config.sys and autoexec.bat, use the standard rem statement; and for those in the StartUp directory, move them to another directory created for that purpose.
Of course, I've heard of this before, but the write-ups seemed pretty innocuous - no one ever hinted at how bad this thing really is.
This discussion is not about privacy or security (though they are both issues). Instead, it is about system performance. With Comet Cursor, system performance is significantly reduced.
In 4 hours with this disabled (via ZoneAlarm), MS Access and the Kernel grabbed my machine only twice (that I noticed). On the previous day, with it running, MS Access and the Kernel grabbed the machine about every 10 minutes. It is hard to prove cause and effect ... but for my money, my machine runs MUCH better with it disabled.
Whatever, you do, don't simply delete COMET.DLL. There are so many registry hooks, you really should uninstall it. This can be done via Control Panel / Add/Remove Programs.
Once it is "removed", then you should run Ad-Aware to verify that it is actually gone.
More: After a re-boot, the Kernel is grabbing the machine again. Using the All Open Files of Taskinfo 2000, 6 copies of Comet.dll are currently running on my machine - one is attached to Windows Explorer, one is attached to IE, and four are not accounted for. Also, Zone Alarm did NOT prompt me if it was ok for this parasite to access the internet.
Troubleshooting a Performance Problem
Using the Microsoft System Monitor (Start / Programs / Accessories / System Monitor - it is on your Windows CD, but you must install it), I noticed that the cpu kept going to 100% utilization. Hum. Well, I wanted to know why - which application was crashing my system.
At this point, I loaded and configured Taskinfo 2000 to run every time the system booted. Well, it turned out to be 2 "applications" - MS Access and the Kernel. Pretty weird. I'm sitting there, not doing anything, and one of these 2 programs would simply hog the computer for several seconds.
Well, that was not a very satisfactory answer. So I loaded ZoneAlarm - a free firewall which blocks and/or reports both incomming and outgoing TCP/IP traffic. By default, you get prompted each time an application tries to access the network.
http://www.cometsystems.com/contact/host1net.shtmlSearching the registry for 126.96.36.199 came up blank
A search of all the files on the hard drive for "198.65" came up blank.
Based on the registry info
HKLM\Software\Comet HKLM\Software\Comet SystemsWhat really bothers me is that I can't find out why its running. Its not in the registry, autoexec.bat, win.ini, or the like. I guess that Windows Explorer is doing the dirty work. It also appears that the ip address is hidden in some manner.
Removed Using the Control Panel
After a re-boot, the dll was still there, but it was no longer running.
Ad-Aware 5.0 found
HKLM\Software\Comet HKLM\Software\Comet Systems HKLM\Software\Microsoft\Windows\CurrentVersion\ SharedDLLs\C:\WIN98\SYSTEM\COMET.DLL
I decided to leave this on the system to see if it would automatically start again. I have fairly tight security, but you never know. If RealAudio ever runs, this parasite will fully re-install itself.
This parasite is executed via the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BrowserWebCheck="loadwc.exe"Starting with IE 5.0 under Windows 98, you can not simply disable webcheck because it gets called by Windows Explorer even if loadwc.exe is never run.
The IE 4 version of webcheck is not compatible with IE 5. If it isn't updated (or perhaps Windows is reloaded) there will be continuous errors (I've seen about once an hour) similar to
Explorer caused an exception 6d007fh in module Webcheck.dllThis error occurs whether you are running Internet Explorer or not. (I've personally seen it both ways.) Since msinfo indicates that webcheck is a part of IE 5, and since Windows Explorer causes a webcheck error about once an hour, it appears that IE 5 is more tightly integrated with the operating system than IE 4.72 was.
To check the version, use msinfo, or in Windows Explorer, right click the file, select Properties and click the Version tab. 5.00.2919.6304 is ok for IE 5; 4.72.3110.0 is not.
As of 02-15-2001, the shareware version of pkzip no longer comes with the TSADBOT parasite. Apparently, Conducent (the maker of TSADBOT) has gone out of business.
On July 7, 1998, PKWARE announced that the shareware version of pkzip for windows would ship with special advertisement software. Always running on your system, this parasite allows advertisements to be download from an ad server. The ads are displayed whenever pkzip is running.
Don't get me wrong, PKWARE can do anything it wants to its products, it's always loading a premanently resident program at boot time that I take exception to. In addition, it appears that the program uses the internet even though pkzip is not running.
This parasite is executed via the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TimeSink Ad Client="C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"The new version of pkzip is able to uninstall the parasite.
On a brand new, never before used NT 4.0 SP3 system with an empty D-drive, FastFind placed the following files
ffastun.ffa 4,109 ffastun.ffl 8,192 ffastun.ffo 4,096 ffastun0.ffx 4,096 total 20,493 bytesAnd after copying about 12,200 files (~350Mb) to the D-drive and waiting over night
ffastun.ffa 4,379 ffastun.ffl 131,072 ffastun.ffo 57,344 ffastun0.ffx 327,680 total 520,475 bytesFind Fast is run via Start / Programs / Startup.
This parasite causes lots of disk activity whenever no one is using the machine. While it may speed up some searches, there is little documentation explaining what it does. (See Overview of Find Fast Indexer for some details.) It is my observation that it frequently activates the hard drive and slows down overall system performance.
When you first boot your system, this parasite is dorment, merely consuming memory but not using a lot of CPU time. After a while, it wakes up using about 50% of the availble processor capacity. (So far, this is not unlike a screen saver which stays in the background until the timer triggers.) However, unlike the screen saver which goes back to sleep, once this parasite is active, it stays active until you re-boot the system.
On an NT 4 system, right click the Task Bar and select Task Manager. On my NT 4 system, under Processes there are 2 instances of FindFast.exe! Currently, my processor indicates that it has been 27 hours since the last re-boot, and 1.5 hours have been used by FindFast.exe! This means that 5.5% of the computer's bandwidth is being wasted by this parasite. In addition, the hard drive is being accessed a little faster than once a second.
I killed it with the End Process button. Now the hard drive is quite.
|System Idle Process||34:42||59:28|
This system currently has 64 Meg of memory and is using about 40 Meg. Imagine if I had only 32 Meg of RAM how much thrashing there would be.
Over several days of observation, 2 of which are shown above, the findfast CPU Time stayed approximately 2 hours behind the System Idle Process. I assume that this is approximately how long the system was on before findfast activated and that afterwards findfast consumed about 50% of the available CPU time.
Microsoft's Indexing Service
Apparently, this feature is implemented via Mosearch.exe and Mosdmn.exe, neither of which shows up in the task manager. As with findfast, don't just delete these files. Instead, follow the (very confusing) instructions provided in OFFXP: Hard Disk Runs Continuously After You Install Office XP (Q282106) to disable it. Unfortunately, this feature must be disabled for each installed Office XP application.
Well behaved registration software should run only when you start the associated product. (This is how the standard shareware nag windows work. Irritating, but not a parasite.) In addition, it must remove itself from the hard drive when its task is completed.
HP Registration Parasite
When you eventually say that the product is registered, the registration program is not removed from your hard disk. In my opinion, this is completely unacceptable and supports my position that this program should be considered as a parasite.
Borland Registration Parasite
[windows]load=C:\BC5\PIPELINE\remind.exeAccording to InControl (InCtrl 3), when you indicate that you have already registered, the program simply removes that line and leaves the parasite on your hard drive.
It is loaded at boot time via
HKLM\..\RunServicesIn addition to running every time you boot, it creates temporary files each time you boot ... but NEVER deletes them. (Go MS, like I need another 1,000 extra unused temporary files.)
You know that you have a problem when you start to see files who's names start with fff, such as
I see this as a border-line parasite. It is definitely a nuisance, and it is very badly behaved, but, perhaps it is useful.
This Microsoft reference states that the extra files accumulate in Windows 95 and 98, but not in NT 4.
Possible Spyware: RPCSS.EXE, mdm.exe provides additional information - specifically that multiple copies of mdm.exe will run concurrently.
I provide support for an application that uses VBScript, and AOL overwrites the VBSCRIPT.DLL file without asking or checking. Since it ALWAYS puts an old version there in place of the existing one, my apps STOP WORKING! We have advised all our users NOT to install AOL under ANY CONDITIONS. I HATE IT.The article states that most of the bad (old) dlls are in a private directory, and as I understand it, this practice is acceptable. However, the article claims that this is the cause of the problem.
To quote another article by the same person, the following is presented as AOL's view
AOL's own tech support admits that--- oops!---installing AOL may make your system unable to connect to other ISPs, and that--- oops!--- your internet-sharing software (such as Win98's ICS) may no longer work. But these aren't bugs. It's the software installing itself in exactly the way AOL intends. You simply have to do things the AOL way, period.I don't know what the truth is.
RealAudio / RealPlayer
Many people like RealAudio, it may even be good software. However,
If you configure it so that it does not run every time you start your machine (this requires hacking the registry), the next time you run the software it will reconfigure itself so that, once again, it automatically starts at boot.
Ad-Aware detects, and optionally removes, advertising programs that "call home" and exchange statistical data.
SpywareInfo - the name says it all.